 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Tue, 15 May 2001 17:00:43 -0400 From: Rich Lafferty <rich@alcor.concordia.ca> To: bugtraq@securityfocus.com Subject: MUAs that delete spoolfiles (was Solaris /usr/bin/mailx exploit (SPARC)) On Tue, May 15, 2001 at 02:15:45PM +0100, Andrew Hilborne (andrew.hilborne@uk.xo.com) wrote: > > > > (At least not if you /var/mail directory has the standard 1777 permissions) > > > > By forcing a file permission of 600 on mailboxes, group mail should not > > gain you anything. > > Just how do you force 0600 on mailboxes which don't exist (many MUAs remove > empty mailboxes?) If that's true, then even *without* this particular bug in Solaris, there's an icky denial of service attack waiting to happen. Sticky mailspools are awfully common these days, and all that stops Bob from doing touch /var/spool/mail/alice and causing the MTA to refuse to deliver is that Alice's mailbox should never *not* be there in the first place. Which MUAs behave in the way you describe? > Since you cannot easily do this, at the very least a malicious user should be > able to steal other users' mail. I think. If they can, then *that's* a flaw in the MTA, which should never deliver into something that isn't owned by the recipient. -Rich -- ------------------------------ Rich Lafferty --------------------------- Sysadmin/Programmer, Instructional and Information Technology Services Concordia University, Montreal, QC (514) 848-7625 ------------------------- rich@alcor.concordia.ca ----------------------
| |||||||||||||||||||||
|
|